New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT - The Hacker News

New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT Ravie LakshmananOct 03, 2025Cybersecurity / Malware A threat actor that's known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT. Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It's also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris. "In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials," BI.ZONE said. "The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises." In August 2025, Group-IB revealed attacks mounted by ShadowSilk targeting government entities in Central Asia and Asia-Pacific (APAC), using reverse proxy tools and remote access trojans written in Python and subsequently ported to PowerShell. Cavalry Werewolf's ties to Tomiris are significant, not least because it further lends credence to a hypothesis that it's a Kazakhstan-affiliated threat actor. In a report late last year, Microsoft attributed the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473. The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT. In at least one case, the threat actor is said to have compromised a legitimate email address associated with the Kyrgyz Republic's regulatory authority to send the messages. FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe. StallionRAT is no different in that it is written in Go, PowerShell, and Python, and enables the attackers to execute arbitrary commands, load additional files, and exfiltrate collected data using a Telegram bot. Some of the commands supported by the bot include - /list, to receive a list of compromised hosts (DeviceID and computer name) connected to the command-and-control (C2) server /go [DeviceID] [command], to execute the given command using Invoke-Expression /upload [DeviceID], to upload a file to the victim's device Also executed on the compromised hosts are tools like ReverseSocks5Agent and ReverseSocks5, as well as commands to gather device information. The Russian cybersecurity vendor said it also uncovered various filenames in English and Arabic, suggesting that the targeting focus of Cavalry Werewolf may be broader in scope than previously assumed.  "Cavalry Werewolf is actively experimenting with expanding its arsenal," BI.ZONE said. "This highlights the importance of having quick insights into the tools used by the cluster; otherwise, it would be impossible to maintain up-to-date measures to prevent and detect such attacks." The disclosure comes as the company disclosed that an analysis of publications on Telegram channels or underground forums by both financially motivated attackers and hacktivists over the past year has identified compromises of at least 500 companies in Russia, most of which spanned commerce, finance, education, and entertainment sectors. "In 86% of cases attackers published data stolen from compromised public‑facing web applications," it noted. "After gaining access to the public web application, the attackers installed gs‑netcat on the compromised server to ensure persistent access. Sometimes, the attackers would load additional web shells. They also used legitimate tools such as Adminer, phpMiniAdmin, and mysqldump to extract data from databases." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, data breach, kazakhstan, Malware, Microsoft, Phishing, Russia, Telegram Trending News CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security Load More ▼ Popular Resources [Guide] Learn How to Govern AI Agents With Proven Market Guidance Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats